GCC (and maybe Clang) lose local initializer state before BUILD_BUG_ON() if a function call is made between

kees commented 1 month ago

https://lore.kernel.org/linux-hardening/ZrZs5KL5Pz9tIinr@cute/

Reproduces with:

extern int ohai(int cow);

static bool iwl_mvm_gtk_rekey(struct iwl_wowlan_status_data *status,
                              struct ieee80211_vif *vif,
                              struct iwl_mvm *mvm, u32 gtk_cipher)
{
        int i, j;
        struct ieee80211_key_conf *key;
        union {
                u8 bytes[struct_size_t(struct ieee80211_key_conf, key, WOWLAN_KEY_MAX_SIZE)];
                struct ieee80211_key_conf obj;
        } conf_u = { .obj.keylen = WOWLAN_KEY_MAX_SIZE, };
        struct ieee80211_key_conf *conf = (struct ieee80211_key_conf *)&conf_u;
        //int link_id = vif->active_links ? __ffs(vif->active_links) : -1;
        int link_id = ohai(5); //vif->active_links ? ohai(vif->active_links) : -1;

        conf->cipher = gtk_cipher;

        BUILD_BUG_ON(WLAN_KEY_LEN_CCMP != WLAN_KEY_LEN_GCMP);
        BUILD_BUG_ON(conf->keylen < WLAN_KEY_LEN_CCMP);

@GustavoARSilva @nathanchance

kees commented 1 month ago

Next step is to get a small reproducer

kees commented 1 month ago

This is a problem with missing __attribute_const__ for ffs, ffs, fls, fls.

KSPP / linux

GCC (and maybe Clang) lose local initializer state before BUILD_BUG_ON() if a function call is made between #364